I hope he wins, mainly so cell operators will perhaps take security more seriously. Not long ago, I was with T-Mobile. My username was my phone number, and the password, you could request and they'd send it to you in an email.
With the climb of social media, our phone numbers are more a part of our identity than ever before, and carriers lack of security is being thrust into the spotlight.
There are of course two sides to every coin. The flip side is, cell carriers never signed up to be a secure identification mechanism. SMS wasn't designed for security, and there's little financial incentive for them to invest in those changes, i.e., they don't charge you more for secure authorization of 3rd party platforms. I think its very akin to the US Social Security Number being used as a 'secure' identification in many cases.
I imagine a world where you go into the cell store, and they demand three forms of identification including a utility bill to talk to you. I can already hear the complaints from a much larger portion of their customer base.
That's a good point in general; NIST recommends not using SMS for challenge-response authentication.
I don't know whether in this case the victim was using SMS codes, or whether the attacker used their phone number as part of a more involved attack (e.g. calling customer support and impersonating the victim). Even if you don't use SMS codes, there are a number of attacks that are opened up if someone seizes your cell phone number.
In general, however, I think it would be a good thing if service providers were held liable for damages occurring due to account breaches; that's the only way we're going to get proper account security. Schneier has written on this subject extensively, e.g. https://www.schneier.com/essays/archives/2003/11/liability_c....
I work in fraud prevention. While it's not yet a typical attack, it is does happen regularly.
Usually the attack is done against an individual who is known to have significant crypto assets and is using Gmail. By default if you enable 2fa on your Gmail account, sms based 2fa is activated as backup.
The attacker social engineers the phone provider to port the victims number, then resets the victims Gmail account, uses Android device manager to wipe their devices, and using the details found in Gmail they proceed to gain access to other accounts owned by the victim. The main goal being to social engineer access to services where they store crypto or to find unencrypted wallet backups in the cloud.
The previous best option I was aware of with Gmail was to add a pair of Yubikeys, then explicitly remove your cellphone from the account, to close the gap you mention.
Exactly. You can always debate specific security practices. But there's definitely a tradeoff between resistance to social engineering and related attacks on the one hand and convenience on the other hand.
You give one example. It also applies when people lose the password for an account, no longer have access to their original or backup email, etc. The most secure thing to do is probably to tell the customer "tough." But that won't go over very well so account recovery practices get put in place that are probably susceptible to social engineering attacks.
What if carriers created an "enhanced security mode," which users can opt-in to if they want more security and are okay with sacrificing convenience in case of account recovery?
It would be similar to the account recovery aspect of Google's Advanced Protection Program: "A common way that hackers try to access your account is by impersonating you and pretending they have been locked out of your account. To give you the strongest protection against this type of fraudulent account access, Advanced Protection adds extra steps to verify your identity during the account recovery process. If you ever lose access to your account and both of your Security Keys, these added verification requirements will take a few days to restore access to your account."[1]
I just want a world where you go into a cell store, and they don't tell you they've got a great idea, just make your PIN your birthdate.
If they actually took part that seriously, most identification could be done with a PIN or a password or whatever and the serious identification could be reserved for people who've actually forgotten.
Exactly. I was able to get into my Verizon account at the store by showing the sales guy my number on my phone. I was moving my number to my non-work billing account.
When I was surprised that this is all the authn they needed, the sales guy joked with the rhetorical question “well, you are <my name>, right?” i.e. “well, it ain’t a problem at the moment, right?”
sms password resets are not 2fa. 2fa means you have two factors of authentication. If the only thing you need to authenticate is control over a phone number, then that's just one factor.
Two factor authentication is when you need both a password and an SMS token, like how GitHub does it.
I'm not saying SMS 2fa is strong enough, often passwords are weak and/or weakly guarded, and ostensibly phone numbers can be fidgeted with. But having a phone number be the only thing guarding your entire identity is a whole next level of weak.
There are plenty of secure messaging services out there. Making one that works for everyone is not a trivial problem.
Suppose you own a coffee shop and offer free wifi, should you be held responsible if someone logs into a bank without SSL and gets their credentials sniffed?
Should you be responsible for designing a wifi protocol that uniquely encrypts the traffic of each user, without shared keys, to prevent sniffing?
In my opinion "take security more seriously" is too nebulous to be constructive here. What do we want these companies to do? Security is an incredibly hard problem. It is only exacerbated when we go years without speaking with one of these companies. Anything that you have to remember in that time whether it is a password, pin code, or "who was your childhood hero" type security questions can all be forgotten. How else is this company supposed to identify you over the phone, without something that can be forgotten, without referencing easy to find public information, and without using a secondary verified contact method like email?
Stop giving out my data/access to anyone but me. Once you set a general company attitude towards distribution of data/access, you can't ask for pity when that attitude comes back to bite you. Collect less, lock it down, proliferate it less, etc. Then you'll get my sympathy when an employee at one of your stores gives away my data/access.
And no, restricting data/access and ease of use are not completely mutually exclusive. There is a harmonious middle of the venn diagram that is completely different to the way things are currently run. Nobody's asking to force 2FA on cell phones here (unless we opt-in), we're just asking for better identity verification and less apathy towards giving out my info (in all cases).
Reasonable attempts at identification validation, especially in these contexts, can be excused when they fail for a very determined actor. But I don't think these attempts are occurring not because the policies aren't there (even though many times they aren't), but because there is a general attitude to not care about what is being protected. If it were my bars of gold you can damn well bet vigilance would be higher.
No, the problem is often the company doesn't care. In their defense, they believe they are trying to help you and probably 99% of the time, that is what they are doing.
Is there an absolute requirement to be able to demonstrate your identity over the phone even if you have no secret information with which to confirm it?
How about, if you forget your password and can’t get into your account, you need to visit a store in person to show your ID, or mail in a notarized copy, or something like that?
Requiring customers to come to a store would basically exclude anyone from accessing their account outside the retail footprint of the company. That isn't realistic for companies that are trying to provide you a global service like most telecoms.
It also introduces plenty of other problems. For example, if you are mugged on the street and lose your phone and wallet are you just frozen out of your mobile account until you can get to the DMV and wait the month until you get a new ID?
It is a hard problem that can't just be fixed by "taking it seriously".
Physical presence wouldn’t be required unless you forgot your credentials. If you are mugged and forgot your password, then you’d be screwed. I’m not sure how reasonable it is to try to make that particular situation better though.
I think there could be a sliding scale of sorts, with the last resort as sorry, you must visit a store.
Perhaps a series of strong security questions(no 'mothers maiden name' type), and if failed, you must present ID at a physical location.
Perhaps a copy of an ID or other photo on file that you could match/resend?
Maybe an option to 'lock' the account to changes, that can only be unlocked by the user when logged in, or by visiting a store?
Just off the top of my head, I can think of hundreds of things these companies could be doing better..many of which are not 100% foolproof, but far ahead of what they're doing now.
> Maybe an option to 'lock' the account to changes, that can only be unlocked by the user when logged in, or by visiting a store?
AT&T sorta offers this - there's an enhanced security option that lets you provide a password or PIN if you want to make account changes. This is allowed in lieu of ID.
My AT&T account is technically still tied to my father-in-law, because my wife and I took it over over a decade ago, when we were still in college. They no longer have AT&T phones and I consider it my account, but whenever I visit a store I have to provide the password before I can upgrade my phone or change the service plan. To move the account into my name would require me and my FIL to visit a store together, which is inconvenient enough that we've not bothered.
Other poster is correct, sorry if it wasn't clear. Essentially, they were storing passwords either in plaintext or a reversable encryption scheme.
Now, this was a few years ago, so I don't know the current setup, but not so far back that not storing plaintext passwords wasn't common knowledge...
While I was working at a blockchain forensics company (we built one of the first AI backed block-explorers both for Bitcoin and Ethereum & our service was also used to identify the DAO hack), both myself and my boss were targeted multiple times a year with this kind of attack even though we held no crypto through the company. It seemed that just since my name was on the web with the word crypto I was a target.
To this day I have a personal phone and a revolving burner I only use for non-SMS 2FA with an unlisted number, which is kept in an EMF proof bag while not in use.
Security for this kind of thing is an absolute joke.
Granted, this guy should've known better granted the value of his holdings... Most also don't know that accounts such as Authy and other non-SMS 2FA authenticators can still be stolen if your mobile number is stolen.
However, I'm still waiting for a carrier that creates a system that can't be trivially socially engineered by bored Chinese scammers...
> Most also don't know that accounts such as Authy and other non-SMS 2FA authenticators can still be stolen if your mobile number is stolen.
I was under the impression that apps like Authy and Google Authenticator have no connection with the telephone network/phone number. Do you have any reference that claims otherwise?
Authy specifically stores your account in the cloud and can be recovered using SMS. They have a 24 hour warning period during which the email address on file receives multiple notifications that a recovery is being attempted with the option to cancel but if someone has control over your phone number for an extended period of time they can absolutely take over your Authy account. I found this out when my Authy account was corrupted somehow and support said, hey no worries just go through the recovery process.
Google Authenticator is offline only and is not vulnerable.
Yes but your backup is encrypted by a password. So even if someone steals your number for long enough to go through recovery, they still need to be able to decrypt the backup.
>this password is not stored anywhere on Authy's servers! If you forget the password and none of your devices are synched, your tokens are lost and you will need to delete them and start over
I mentioned this because I know multiple people who've had authy / other authenticators compromised down the line from social engineering attacks. Even if you can be alerted, usually it's too late by the time you realize what's happened to your creds.
No that’s wrong. TOTP based 2FA is totally out of band with the only attack vectors being losing your physical device (or a device backup!) or leaking of the secret from the server side.
No that's wrong, authy backs up your TOTP seed to their server and will give them out to anyone who gains access to your authy account and can verify that they can receive sms messages sent to the number associated with the authy account. (Though they are encrypted and authy does not store the encryption keys).
Authy at least will let you "recover" your account by them sending a text message to the associated phone number. Tap the link in the message and presto, 2FA codes.
Wasn't it like a year ago that famous YouTubers and such were getting their accounts stolen the exact same way and AT&T promised they would tighten up security measures?
I’m not sure if he has any legal recourse against AT&T, but it’s another example why sms based 2FA is a bad security scheme, especially if you’re a high value target.
> After the first hack, Terpin alleged that an impostor was able to get his phone number from an "insider cooperating with the hacker" without an AT&T store employee requiring him to show valid identification or provide a required password.
If what he's alleging is true, then he certainly has a case against AT&T.
I see the advice not to use SMS for 2FA comes up a lot on HN, and understand the reasons why that is true. But I find that recommendation comes up short. What are the alternatives, and how can they be widely deployed for little cost?
Token based 2FA, either via something like google authenticator or a USB dongle like a Yubikey or RSA token.
The point is to prove that you have possession of both knowledge and a physical token (hence two factor). And while sms to phone makes it seem like you are proving possession of the phone, you’re actually proving that you have the phone that texts will route to. That last bit is movable and subject to shockingly little security, hence the issue.
Even 2FA that involves you receiving a call is more secure than 2FA that involves you getting a text, but of course that too should not be used, ever. It's just that SMS is that much worse. I wish I could share on HN the technique anyone anywhere can use to take over any mobile number's SMS traffic within a minute so we can discuss it at great detail, but obviously I know better and would never do it. Unfortunately this knowledge is not limited to myself and many people out there know this especially after being in telecom for a while.
And at provider's stores they are too eager to please a "customer" so social engineering is very effective at swapping SIM cards out and hijacking your number.
That’s one part of the problem. The other part is that it’s actually quite easy to convince most cell phone carriers to change the SIM card associated with a given phone number. Once you’ve pulled that off hijacking the account is easy.
It's not exactly plaintext. Last time I saw it was using broken crypto (may have changed since then, but I doubt it), and it encrypts the data hop by hop, so that if you insert yourself as a hop, you'll just have decrypt (with your keys), read and encrypt it.
Publicity and tens of millions in Bitcoin /Ethereum++ is a bad idea. Especially since once it's gone it's gone. Hacking your account means FU money and then some, with less chance of getting caught than other crimes. So they have all the incentive in the world to take heir sweet time...even if they lost 50% laundering, it's still more than enough.
I'm all for At&t to be held responsible if they broke security protocols. They charge an arm and a leg
If Bank A makes my PIN number automatically the last 4 of my SSN, and Company B discloses that information, is Company B responsible for 9 times whatever losses I incur if my ATM is stolen?
a cryptosystem has to stay secure even if everything about the system, except the key, is public knowledge. So Bank A is at fault, because it neglected basic guiding principles for designing security systems.
I think that ship has already sailed. We need to be moving to a world where those magic strings aren't valuable, and punish companies that use them. It seems unfair; punishment feels it should be directed at the leakers, but you can't put toothpaste back in a tube, at least not cleanly, and the toothpaste is still likely contaminated regardless.
Sorry I really wasn't trying to be a dick here. The original post asked whether one party could sue instead of being responsible. It is possible that this is why my post seems childish.
The point I was trying to make was about conflating the damages being sought in a lawsuit by one party and the actual damages owed by other other in a lawsuit. I think it is pretty common practice for the plaintiff pick a high number out of somewhat thin air to prevent themselves from pricing themselves from leaving money on the table.
Are there any phone companies that have decent security practices? As far as I can tell switching is pointless because they're all awful in this regard.
That's the wrong question to ask. There are no financial institutions that have proper 2FA. I don't know of a single bank in the US that uses any standard 2FA. They all use SMS. Recently, I found that you can make paypal (US) use TOTP 2FA with a workaround. I recommend everyone to do that.
My snarky answer is use an MVNO that will both show up as the base carrier to any searching online/number lookups, and has completely useless clueless terrible support that either couldn't or wouldn't redirect like this.
Assuming you even have to use SMS, get some weird walmart mobile service that you can't even really call for support.
It's security through obscurity but they often literally wont let you port your number out without absurd gymnastics, the support people don't know how, their crappy web based management system the CSRs use doesn't have a button, etc.
Sorry for his loss, and the mobile providers do need to do something about this known attack vector. But with cryptocurrencies you need to "be you own bank", and extending his own analogy how many legitimate or long lasting banks would store USD24 million in cash in a hotel room safe?
Following this analogy, would the bank sue the builder or vault manufacturer if they gave someone a key to the vault without the bank's knowledge and it was used to rob the vault? Or might the bank sue a armored carrier for irresponsibly storing monies that were stolen in transit between banks?
Maybe you can be your own bank, but banks have to depend on external factors/entities to do what they're supposed to do as well.
Seems reasonable, because bank vaults and armoured vehicles are designed specifically for protecting high value items. Hotel room safes on the other hand are not (in fact some even have a disclaimer advising you not to store valuables in them).
> Terpin was the victim of two hacks within seven months
If indeed these were separate occurrences of breaking in through the same phone account—and the article is not definitive on this—then the punitive damages seem quite appropriate. “Fool me twice, shame on me,” and all that.
Given the revelation that phone number security just isn't that secure, I have changed my online accounts that allow 2FA to use a crypto key. However, I have found that most seem to only allow crypto keys in addition to a cell phone number. You can't turn it off. Has anyone else noticed this? What is the point of moving to something more secure if you can't get rid of the weak link?
Yeah it really makes you think of all the other methods you might not even know about. My bank has an mobile app to connect that I'm not using because I don't trust it, but what if it's indeed insecure and someone else exploit it...
I notice AT&T is quoted as saying "we dispute these allegations and look forward to presenting our case in court". It's interesting they didn't say "these allegations are baseless and without merit". I wonder if that means anything.
A "baseless allegation" is one with no evidence or reason. This guy has a reason and presumably evidence, so his allegations are not baseless.
A baseless allegation would be if I were suing AT&T for losing all my crypto investments. I have none and am not an AT&T customer.
An "allegation without merit" means no rational interpretation of the law would result in a guilty conviction of the allegations. Baseless ones are almost always without merit.
You provided unnecessary and unhelpful definitions, from my perspective.
I assume as axiomatic (and required by HN guidelines) that you intended to be helpful and relevant, so I asked a question to determine what you were thinking.
If you do not think lawyers use the "baseless" language in a totally transparent, sincere way, then I would've expected you to be more interested in when and how they do that, which is the discussion I was looking for, if any.
Wow, if that's how you really feel. Your eagerness to fall back to rules lawyering to justify your behavior instead of reflecting where our misunderstanding is and working to resolve it, is the kind of toxic online behavior I will gladly get dinged for.
I will help you and go ahead and flag all of my posts in this thread so dang and others can take moderative actions against me.
“If the facts are against you, argue the law. If the law is against you, argue the facts. If the law and the facts are against you, pound the table and yell like hell.”
I suspect good lawyers refrain from falsely alleging a claim is baseless when they have more sound arguments to make, and they save the histrionics for table pounding occasions.
How can he prove he did posses this amount of crypto currency and is not making everything up? With a system without any regulation nor oversight where you have to play your own bank, this is exactly what you’ve signed up for...
Even more analogously in my opinion: someone walked into the dealer, said "hey, transfer the keyless entry for my car to this fob right here" and they did.
I think the "cash left in the car" part captures the negligence on the cryptocurrency holder's part. One, he explicitly chose to store his wealth in a medium without reversal mechanisms. Two, he used an online account. AT&T bears some blame for his loss, but not a tremendous amount.
I could reasonably argue that they should not allow any employee to give out my details, such that they can intercept my messages, to anyone. And by allow, I mean even make it possible.
I think about this a lot as the phone is a pretty obvious single point of failure for 2FA and telcos are easily pwned through basic social engineering. I struggle with removing it as an alternative though because losing your phone or 2FA device leaves you in a pretty nasty spot. Tough choice.
There's not a lot of detail in the article, but reading between the lines it seems like an attacker went to an AT&T retail location and pretended to be the plaintiff in order to re-assign the plaintiff's phone number to a new SIM card.
Who the hell keeps $24M worth of crypto on a phone? I only trust open source systems, do all large transactions on fresh Linux, disable JS if I have to use the browser, never visit any unusual websites, nothing not related to the process.
I'm going by the content of the story, which describes acquiring the phone number as the key issue.
> After the first hack, Terpin alleged that an impostor was able to get his phone number from an "insider cooperating with the hacker" without an AT&T store employee requiring him to show valid identification or provide a required password. That phone number was later used to access Terpin's cryptocurrency accounts, according to the complaint.
It's just that the article says, "was able to get his phone number".
Getting a phone number, to me, has always had a pretty universal meaning, which is to simply learn its digits. But I suppose you must be right and they actually mean a deeper compromise.
1) $200M in punitive damages? The hack occurred in January, and the price has gone down across all cryptocurrencies substantially since then.
2) Was the password hacked? Or did the exchange allow password resets via SMS? (So negligence made 2fa really 1fa) In this situation it seems AT&T would be at most 50% responsible.
You could reduce that further by arguing AT&T aren't at fault because third-parties built authentication and identity protocols ontop of what was never guaranteed to be a secure or authenticated channel
And then diminish it to zero again because yes it should be possible for employees to do that. The economic value for most people of being locked out of your phone number and not being able to easily fix the problem or easily upgrade a phone exceeds the cost imposed when some of those people are morons and assume ability to receive an SMS message sent to a particular phone number is any sort of security factor.
My first thought was "cryptocurrency is fundamentally not investment but speculation they don't create anything of value but squander vast ammounts. Second is that it is multileveled frustration that both phone systems are so damn insecure like the completely insecure call identification - while international efforts to track down telefraud rings are well and good a proper system would prevent most of their tricks.
